Bug 2416907 (CVE-2025-65018)

Summary: CVE-2025-65018 libpng: LIBPNG heap buffer overflow
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, ahughes, caswilli, fferrari, fitzsim, gotiwari, jgrulich, jhorak, kaycoth, khosford, kshier, mvyas, neugens, pjindal, stcannon, teagle, tpopela, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A buffer overflow flaw has been discovered in libpng. There is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2417407, 2417409, 2417412, 2417416, 2417419, 2417423, 2417427, 2417431, 2417433, 2417437, 2417442, 2417444, 2417446, 2417463, 2417466, 2417471, 2417473, 2417475, 2417478, 2417448, 2417452, 2417456, 2417458, 2417460, 2417480, 2417482, 2417484, 2417486, 2417488    
Bug Blocks:    

Description OSIDB Bzimport 2025-11-25 00:01:34 UTC 
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
Comment 2 errata-xmlrpc 2026-01-06 11:21:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:0125 https://access.redhat.com/errata/RHSA-2026:0125
Comment 3 errata-xmlrpc 2026-01-07 09:16:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:0212 https://access.redhat.com/errata/RHSA-2026:0212
Comment 4 errata-xmlrpc 2026-01-07 11:15:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:0216 https://access.redhat.com/errata/RHSA-2026:0216
Comment 5 errata-xmlrpc 2026-01-07 12:44:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:0211 https://access.redhat.com/errata/RHSA-2026:0211
Comment 6 errata-xmlrpc 2026-01-07 12:48:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:0210 https://access.redhat.com/errata/RHSA-2026:0210
Comment 7 errata-xmlrpc 2026-01-07 12:58:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:0234 https://access.redhat.com/errata/RHSA-2026:0234
Comment 8 errata-xmlrpc 2026-01-07 13:19:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:0237 https://access.redhat.com/errata/RHSA-2026:0237
Comment 9 errata-xmlrpc 2026-01-07 13:30:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:0238 https://access.redhat.com/errata/RHSA-2026:0238
Comment 10 errata-xmlrpc 2026-01-07 14:12:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:0241 https://access.redhat.com/errata/RHSA-2026:0241
Comment 11 errata-xmlrpc 2026-01-08 11:23:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:0323 https://access.redhat.com/errata/RHSA-2026:0323
Comment 12 errata-xmlrpc 2026-01-08 11:26:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:0321 https://access.redhat.com/errata/RHSA-2026:0321
Comment 13 errata-xmlrpc 2026-01-08 11:33:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:0313 https://access.redhat.com/errata/RHSA-2026:0313
Comment 14 errata-xmlrpc 2026-01-08 12:01:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:0322 https://access.redhat.com/errata/RHSA-2026:0322
Comment 16 errata-xmlrpc 2026-01-21 13:47:59 UTC 
This issue has been addressed in the following products:

  OPENJDK ELS 11.0.30

Via RHSA-2026:0849 https://access.redhat.com/errata/RHSA-2026:0849